Skip to content

[FSSDK-11362] Fix CSRF security warning #448

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 24, 2025
Merged

[FSSDK-11362] Fix CSRF security warning #448

merged 3 commits into from
Apr 24, 2025

Conversation

pvcraven
Copy link
Contributor

Summary

  • PRISMA is complaining about CSRF protections being disabled in a unit test for a flask app. While not really a vulnerability, good to show proper security even in an example/test. So update to enable CSRF.

Test plan

Run tests.

Issues

Copilot
Copilot AI reviewed Apr 23, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses the CSRF security warning issue by enabling CSRF protection in a Flask test application to better demonstrate secure practices, even in test scenarios.

  • Moved and updated Flask imports to include CSRFProtect.
  • Initialized CSRF protection for the test app.
  • Added a lint directive for a global variable declaration in the after_request handler.

tests/testapp/application.py
from optimizely.helpers import enums

app = Flask(__name__)
# Initialize CSRF protection
csrf = CSRFProtect(app)
Copy link
Preview

Copilot AI Apr 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Enabling CSRF protection in the test application may cause tests to fail if CSRF tokens are not provided. Consider updating your test configuration or request simulation to correctly handle CSRF tokens.

Copilot uses AI. Check for mistakes.

@pvcraven pvcraven merged commit 8062f54 into master Apr 24, 2025
24 checks passed
@pvcraven pvcraven deleted the pvcraven-csrf-fix branch April 24, 2025 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@mikechu-optimizely mikechu-optimizely mikechu-optimizely approved these changes

Assignees

@pvcraven pvcraven

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pvcraven @mikechu-optimizely